A vulnerability in the protobufjs JavaScript library allows a crafted protobuf binary payload to trigger unbounded recursion during the conversion of a decoded message to a plain object or JSON representation. The library’s toObject() function and the custom google.protobuf.Any JSON conversion path lack a depth limit, so deeply nested Any structures exhaust the JavaScript call stack. The result is a denial‑of‑service condition in which the application crashes or becomes unresponsive. The weakness is a form of insecure depth or bounds check, classified as CWE‑674.

The affected product is protobufjs:protobuf.js. Versions earlier than 7.6.1 for the 7.x series and earlier than 8.4.1 for the 8.x series are vulnerable. All releases prior to these patch versions that use the toObject or Any conversion features are impacted.

The CVSS score of 7.5 indicates a high severity of this denial of service. No EPSS data is available, so the current likelihood of exploitation is uncertain, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be achieved when an application that incorporates protobufjs receives or processes a maliciously crafted protobuf binary from an external source. If the application exposes its protobuf ingestion interface over a network, a remote attacker could trigger the vulnerability by sending a large, deeply nested message. In environments where the incoming data is trusted, the risk is mitigated but not eliminated if the unmarshalling step is used unsafely.